dce8414af7a9788c0286797163081e4f0f50284a2fdf178ef7110ed8d99da97f

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 04:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4c4ca01dfb51d267a2d39c4f5bd4419.exe
Size

49KB
MD5

f4c4ca01dfb51d267a2d39c4f5bd4419
SHA1

ab45801c13f5ff352ccfa9a650d44469ef2465dc
SHA256

dce8414af7a9788c0286797163081e4f0f50284a2fdf178ef7110ed8d99da97f
SHA512

e3feaa553d2c5670d12c7cf5bed30fed22b2cf4087116559547baa79b3581fcb3efe16cadb71076d351af82779b63cc58fc147aa7c7cd3f32c81924f469d5e2b
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAIH:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	hurok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	f4c4ca01dfb51d267a2d39c4f5bd4419.exe

Executes dropped EXE 1 IoCs

pid	Process
216	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 216	2212	f4c4ca01dfb51d267a2d39c4f5bd4419.exe	84
PID 2212 wrote to memory of 216	2212	f4c4ca01dfb51d267a2d39c4f5bd4419.exe	84
PID 2212 wrote to memory of 216	2212	f4c4ca01dfb51d267a2d39c4f5bd4419.exe	84

C:\Users\Admin\AppData\Local\Temp\f4c4ca01dfb51d267a2d39c4f5bd4419.exe
"C:\Users\Admin\AppData\Local\Temp\f4c4ca01dfb51d267a2d39c4f5bd4419.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
49KB

MD5
e8dd1461d73fb3908c19f4f0ca6f2279

SHA1
7f65186f264458c6b1e56bd8085cc1802231528d

SHA256
2391417ff5ce631b0bc3a2ffe5441fab5119ae2d20393b6f96d4e8572bd6690c

SHA512
3b4ed4350afc304d91b3da15717a3a578f5ee4271b5ba7c58a4dd01435866dffbf2d276686c48789d1ff22998a9c2ac1f77843794ca00a6fc1d2b73913b370a7

Download Submit
memory/216-19-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2212-0-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/2212-1-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/2212-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download